A. Purpose and Scope
The purpose of this policy is to provide a framework under which United Way Centraide Windsor-Essex Chatham-Kent (“United Way”), in its role as the backbone organization for the ProsperUs collective impact initiative, will acquire, store, use, and disclose data collected from program participants, partners, and third parties.
This policy supports our organization’s overall data governance strategy and is informed by the organization’s Value Statements. Formal policies will be further developed to support donor and volunteer data separate from this policy.
B. Definition of “Data”
For purposes of this policy, data represents both qualitative information (stories, spoken accounts, video recordings, etc.) or quantitative information (statistical/measurement tracking, administrative tracking or outcomes) that is collected from program participants, community members, partners, or staff. This information could be collected through a range of tools including, but not limited to, surveys, software tools, testing materials, recorded conversations, notes from formal interviews or focus groups, and case or observational notes.
Data also refers to potential outputs of transformations from one form of data to another – for example, taking a written story and narrating it in a video, creating an index from multiple program surveys, or taking individual attendance data and using it to calculate an average for a period of time. The term “data” will be used in an all-encompassing manner in this policy. Unless specifically mentioned, the reader should assume that all types of data are bound by the policies outlined below. A full glossary of terms is included in Section N.
C. Respecting Data Interests
United Way recognizes that participants have significant interests in data collected from them. As stewards and custodians of that data, United Way is responsible for maintaining data in a manner that is respectful of those interests. This includes collection, use and disclosure in accordance with individual expectations, maintaining the privacy and confidentiality of their information, and utilizing and disclosing the data only in the manner that they have consented to, as well as providing an opportunity for them to access data acquired from their activities and also to withdraw their consent.
Data acquired from third parties will also be subject to their interests. Interests and related rights and obligations will be outlined within a data-sharing agreement with third parties. Consent will be required from participants (or those authorized to act on their behalf) in order to share personal identifiable data with third parties.
D. Data Anonymization
In order to assist with data security and confidentiality reasonable steps will be taken to anonymize data at the sources of collection, including assigning a unique identifier to each unique program participant before data is transferred, stored or manipulated.
The identifier key will be restricted to program staff for initial data input and program operation, the United Way database administrator for ensuring validity of data, and the lead evaluator for analysis purposes. An exact list of staff with access to this anonymized data is codified with the accompanying data access matrix.
An illustration of such a data flow is outlined below.
Although the majority of work and analysis will not require full de-anonymization, appropriate steps will be taken to ensure that processes are in place to minimize potential data exposure.
E. Consent and Data Acquisition
Obtaining informed consent is a pivotal element to gain trust and partnership with those we serve in the community. By gathering consent in a transparent process, we build trust with participants and partners around the use of their data.
United Way will take all reasonable steps with its ProsperUs partners to ensure that those from whom consent is sought understand what they are consenting to and the related implications of giving or withholding consent, before data is collected, stored, used or disclosed.
Actions will be taken to remove barriers to understanding consent, including translation of documentation, allowing time for authorized representatives to review and consider the documentation before signing, clearly identifying potential usages and disclosures of data within the consent forms, and outlining incentives and additional services that can be provided if consent is given. Where possible we will seek to obtain consent through a non-biased, power-neutral process that leverages neutral third parties.
a. Consent for collection, use and disclosure of different types of Data
United Way collects consent as it relates to data in three main categories:
i. Program Participation
Program consent is the basis for participating in a program provided by United Way and ProsperUs partners. Within this consent basis, only program-specific data collection occurs. Examples include participant registration information, emergency contact information, and basic demographic data, as examples. Only data necessary to deliver the program will be collected.
By providing program consent, participants agree to the collection and use of basic administrative data for tracking. This enables and then includes aggregate elements like program attendance and progress tracking on specific program learning objectives. This data is leveraged to improve program delivery and target specific services to those in most need.
This consent is required before a participant takes part in a ProsperUs program funded by United Way.
ii. Program Elements requiring Evaluation
Evaluation consent is an additional level of consent required to participate in specific program elements that will be evaluated. Depending on the nature of the program, additional data could include surveying, focus groups, interviews, or other evaluation tactics. This consent will be sought at the beginning of the program but will be reaffirmed at the time of evaluation, and a participant can choose not to proceed.
Evaluation elements can be linked to specific program activities or incentives that, should a participant opt out of consent, they would not be eligible to participate in. This eligibility will be explained as a part of program registration. For some programs, evaluation may be a condition of participation.
iii. Marketing
Additional consent will be sought for any marketing or promotional activity that individually identifies the specific program participants. General marketing consent for non-specific items such as photo or video images is sought at the time of program registration.
Consent for other items, such as quotes, stories or articles for publication, will specify the use of their data. Prior to any publication of specific identifying data for marketing purposes, efforts will be made to reconnect with the subject and allow their feedback on the materials.
All marketing consent is time-constrained for a period of 3 years, after which point additional consent to continue using the story or likeness will be sought, or usage will end. Should the intended usage of subject data change, additional consent will be sought.
b. Continuing Consent or Data Retention Past the end of Program Participation
At the completion of a program, additional consent will be sought from program participants regarding the retention of de-anonymized data. Continuing Consent will trump any previous consent as the most recent version of accepted consent obtained.
Participants who allow their base data to be retained in de-anonymized format will be able to be contacted about new or additional programming opportunities, supports, etc. Data for which such consent has been obtained will remain deanonymized for a period of 5 years, at which point, it will be anonymized provided that all other retention requirements are satisfied.
Participants who do not consent to their data remaining de-anonymized will have their identifiable information removed from our systems as soon as all retention requirements are satisfied.
c. Consent of Minors
Consent of Authorized Representatives will be sought for persons under the age of 18 in order for initial program enrolment and in other circumstances where required by law.
It is noted that persons under the age of 18 may be legally capable of providing informed consent on their own, for example, as it relates to participation in certain program elements or to access certain services. Once enrolled, youth may be able to provide consent for Program Participation, Program Elements requiring Evaluation, and Marketing without the consent of an Authorized Representative.
d. Consent where Scope of Data Collection, Usage or Disclosure has Changed
Should the scope of data collection, usage or disclosure change, attempts will be made to re-confirm consent before new collection usage or disclosure occurs. If consent is not gained, participants may not be able to continue in the certain activities.
e. Withdrawal of Consent
Consent for Program Participation, Program Elements requiring Evaluation and/or for Marketing may be withdrawn at any time by the participant or their Authorized Representative in writing. Withdrawal of consent for Program Elements requiring Evaluation may impact the level of participation in certain program activities as described in E(a)(ii).
Should consent be withdrawn, subject to any retention requirements, identifying characteristics of their data will be removed from databases and records, and other data will be anonymized. A full deletion of all records and data is not always possible due to the need to maintain overall data integrity over time, risk mitigation purposes, and historical archiving.
F. Data Access and Storage
The fewer points of access to sensitive data there are, the more secure this data is. United Way will develop a data access matrix that reviews roles within the organization and the level of access those roles have to particular data sets. Only key staff will have access to de-anonymized data and the program identification keys that are generated.
Staff, volunteers, students, etc., will only see data in aggregated forms in a format that suits their roles. Senior management and staff will monitor access to data and adjust the data access matrix as required or on a case-by-case basis. These ongoing changes will be reported to the United Way Board of Directors as part of annual monitoring.
G. Disclosure and Data Sharing
Data will be used in anonymized aggregated forms to provide information and feedback to ProsperUs partners. This policy contemplates data-sharing requests by ProsperUs partners and other third parties. Beyond core service partners, United Way will assess data-sharing requests on a case-by-case basis depending on the scope of the request, the type of data and the intent of use.
a. Disclosure to Participants
Program participants are entitled, with reasonable notice, to be provided with a copy of data that has been collected as a result of their participation.
b. Data Sharing Requests
All potential data-sharing requests must be made by formal submission to United Way staff outlining the specific data being requested, the purpose of this request, and planned usage for the data. Depending on the scope of the request, the next steps will be determined.
Program data will exist in 3 forms: open, anonymized, or de-anonymized.
i. Requests for Open Data, such as aggregate performance metrics that are already published will be shared with no pre-requirement beyond the initial request as the data is, by definition, already open and public.
ii. Requests for Anonymized Data, such as non-identifiable program participation information, would be determined by the scope and breadth of the request.
- As some anonymized data aggregates become public as a part of United Way reporting and marketing, aggregates like this could be freely shared with few constraints.
- More thorough data requests that require access to anonymized data sources at a program level would require a data-sharing agreement between United Way and the data partner. The agreement would outline the formal terms of the shared data and the acceptable usages and disclosures.
iii. Requests for de-anonymized data and detailed information on the project, purpose, and research scope would be required. De-anonymized data would only be shared with academic or institutional partners for research purposes. A formal data-sharing agreement mirroring United Way’s data policies would be required A process to ensure data destruction at the conclusion of the process would also be established.
c. Data obtained from Third Parties
For data that United Way has acquired through data-sharing agreements and holds as a steward and/or custodian, the terms of our agreement with those partners would determine if data could be used and shared. We would ensure that the partner is properly notified of the request and allowed to provide input before proceeding.
d. Disclosure to Third-Party Contractors
United Way may contract with third parties to design, build, and maintain data transmission, storage, and reporting systems. Such third-party contractors will be required to maintain confidentiality of all data and processes as part of the terms of their engagement.
H. Data Transfer
United Way uses tools to collect and move data in a controlled and secure manner. Processes and procedures standardize data collection and transfer processes to reduce duplication, maintain quality and minimize the potential for unauthorized disclosure.
I. Data Retention
Due to the longitudinal nature of United Way’s work in the community and its goal of shifting conditions over time, the need to collect, store, and utilize data over time is vital to our work.
Consent for data retention is described in section E(b).
All data will be anonymized regardless of consent status after a 5-year period after the end of program participation unless retention is required by law or other limitations. Program identification keys will , be maintained separately for a period of 10 years after the completion of the program, subject to any retention obligations according to statute and common law principles. This will allow us to identify program participants where required while allowing for the deletion of other non-anonymized data.
After a 5-year period, qualitative data will be moved to an archive for potential historical usage.
A directory will be maintained – the Directory or Records – that identifies the nature of all data collected, and its retention policy and status.
J. Data Governance and Funded Partners
For ProsperUs partners and programs that are funded by United Way, a condition of their funding will be to adhere to United Way data governance processes and terms for those related programs. The exact terms of that governance will be structured based on program-specific circumstances and the funding level with the partners. Considerations may include timing of reporting, partner use of United Way collected data, and other matters.
In situations of co-investment or where United Way is a minority investor in a program, funders will negotiate data rights and responsibilities prior to executing a funding agreement with a service delivery agency.
K. Staff Lead
The VP, Finance & Technology is identified as the senior staff person responsible for leading and maintaining compliance with the data governance policy and frameworks.
L. Data Governance and Oversight
On an annual basis, senior staff will report to the Board of Directors regarding the program data governance system. This report will outline:
- existing and ongoing data sharing agreements with third parties,
- a summary of tools being utilized,
- an overview of the data access matrix for organizational staff,
- a risk assessment of existing data processes,
- a summary of any complaints received,
- a summary of any policy breaches, and
- recommendations on policy evolution based on experience.
This will be overseen by the Board Governance Committee and will be incorporated into the Board of Directors’ work plan.
M. Data Breach
Should a breach occur, the existing data breach plan will be implemented (approved by the Board of Directors in December 2018).
This policy and processes will be reviewed, and recommendations brought back to the Board for consideration in advance of the annual review.
Glossary of Terms
Anonymized Data – Data with all identifying characters and indicators removed.
Authorized Representative – A parent, guardian, or other person legally able to give consent for another person.
Data Access Matrix – A standardized best practice tool for identifying staff’s level of access to data within the organization.
Data Custodian – A formalized role responsible for the structures and processes through which data is collected and stored.
Data Lake – An unstructured database for the storage of aggregated data.
Data-Sharing Agreement – A formal legal agreement between organizations, groups, or individuals outlining the roles and responsibilities related to the access and sharing of data between partners.
Data Steward – A formalized role responsible for inputting data into a specific structure or process.
De-anonymized Data – Data with identifying features included with the aggregates that identify specific individuals.
Directory of Records – a single access point location for key data tracking and responsibilities.
Open Data – Publicly available or accessible data.
Program Identification Key—As part of the data anonymization process, all program participants will be assigned a randomized statistical number. This number will be used in our databases for tracking purposes. The Identification key is a separate document/spreadsheet/manual containing the identifiable name and information of individuals participating and the assigned statistical number.
Qualitative Data – Story or narrative information that is captured about a program or service.
Quantitative Data – Statistical or numerical data.
Third-Party Data – Data owned by another organization or entity.